Stuxnet-like attacks could cross the "air gap" that was the ultimate security system-isolation technique for computers before the days of wireless computing, and change the whole approach government and military authorities use to evaluate risk, according to security experts writing for Government Computer News.

"There are a lot of skills needed to write Stuxnet," Parker said. "Whoever did this needed to know WinCC programming, Step 7, they needed platform process knowledge, the ability to reverse engineer a number of file formats, kernel rootkit development and exploit development. That's a broad set of skills. Does anyone here think they could do all of that?"

"This was probably not a western state. There were too many mistakes made. There's a lot that went wrong," he said. 'There's too much technical inconsistency. But, the bugs were unlikely to fail. They were all logic flaws with high reliability." -- Threatpost

Lawson compared the concealment routines to "what Bulgarian teenagers were doing in the early '90s."

"There are your standard routines for hiding from AV tools, XOR masking, and installing a rootkit. But Stuxnet does no better at this than any other malware discovered last year. It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day," Lawson wrote in his blog.

Second, the Stuxnet developers seem to be unaware of more advanced techniques for hiding their target. They use simple “if/then” range checks to identify Step 7 systems and their peripheral controllers. If this was some high-level government operation, I would hope they would know to use things like hash-and-decrypt or homomorphic encryption to hide the controller configuration the code is targeting and its exact behavior once it did infect those systems. – Nate Lawson, Root Labs, blog, Jan. 17.

Stuxnet may be the most sophisticated worm ever created, and could only have come from the supersecret, black-budget labs of America and Israel's most elite security agencies, or it was cobbled together by some group of some multinational but inconsequential team of regional intelligence operators or it was routine virus that got out of control and was used by Iran as an excuse for belligerent accusations of Western policies, to generate unity through the feeling of persecution at home, and inspire obsessive loners living in basements to attack the IT infrastructure of the U.S. rather than the government that actually oppresses them.

Or, it was a pretty effective digital attack by people who don't like the idea of Iran having nuclear weapons, was created in a middling-quality IT military or intelligence lab, was used pretty effectively for quite a long time before it was discovered, and generated a typically ham-handed response from the Iranian government.

The second most interesting it that it apparently inspired the creation or radicalization of loner, basement-living hackers in Iran who currently use their computer skills to go through proxies and play World of Warcraft, read banned Western news sources or look at pornography, but are starting to focus their misspent energy and frustration getting back at the U.S. instead of Iran. Interesting unintended consequence.